]> git.proxmox.com Git - mirror_iproute2.git/blame - man/man8/ip-xfrm.8
projects / mirror_iproute2.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
iproute2: Fix some manpage typos
[mirror_iproute2.git] / man / man8 / ip-xfrm.8
CommitLineData
2a9721f1
SH		 1.TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
2.SH "NAME"
aab2702d 3ip-xfrm \- transform configuration
2a9721f1
SH		 4.SH "SYNOPSIS"
5.sp
6.ad l
7.in +8
8.ti -8
9.B ip
10.RI "[ " OPTIONS " ]"
11.B xfrm
12.RI " { " COMMAND " | "
13.BR help " }"
14.sp
15
16.ti -8
17.B "ip xfrm"
18.IR XFRM-OBJECT " { " COMMAND " | "
19.BR help " }"
20.sp
21
22.ti -8
23.IR XFRM-OBJECT " :="
24.BR state " | " policy " | " monitor
25.sp
26
27.ti -8
28.BR "ip xfrm state" " { " add " | " update " } "
29.IR ID " [ " ALGO-LIST " ]"
30.RB "[ " mode
31.IR MODE " ]"
32.RB "[ " mark
33.I MARK
34.RB "[ " mask
35.IR MASK " ] ]"
36.RB "[ " reqid
37.IR REQID " ]"
38.RB "[ " seq
39.IR SEQ " ]"
40.RB "[ " replay-window
41.IR SIZE " ]"
42.RB "[ " replay-seq
43.IR SEQ " ]"
44.RB "[ " replay-oseq
45.IR SEQ " ]"
46.RB "[ " flag
47.IR FLAG-LIST " ]"
48.RB "[ " sel
49.IR SELECTOR " ] [ " LIMIT-LIST " ]"
50.RB "[ " encap
51.IR ENCAP " ]"
52.RB "[ " coa
53.IR ADDR "[/" PLEN "] ]"
54.RB "[ " ctx
55.IR CTX " ]"
56
57.ti -8
58.B "ip xfrm state allocspi"
59.I ID
60.RB "[ " mode
61.IR MODE " ]"
62.RB "[ " mark
63.I MARK
64.RB "[ " mask
65.IR MASK " ] ]"
66.RB "[ " reqid
67.IR REQID " ]"
68.RB "[ " seq
69.IR SEQ " ]"
70.RB "[ " min
71.I SPI
72.B max
73.IR SPI " ]"
74
75.ti -8
76.BR "ip xfrm state" " { " delete " | " get " } "
77.I ID
78.RB "[ " mark
79.I MARK
80.RB "[ " mask
81.IR MASK " ] ]"
82
83.ti -8
84.BR "ip xfrm state" " { " deleteall " | " list " } ["
85.IR ID " ]"
86.RB "[ " mode
87.IR MODE " ]"
88.RB "[ " reqid
89.IR REQID " ]"
90.RB "[ " flag
91.IR FLAG-LIST " ]"
92
93.ti -8
94.BR "ip xfrm state flush" " [ " proto
95.IR XFRM-PROTO " ]"
96
97.ti -8
98.BR "ip xfrm state count"
99
100.ti -8
101.IR ID " :="
102.RB "[ " src
103.IR ADDR " ]"
104.RB "[ " dst
105.IR ADDR " ]"
106.RB "[ " proto
107.IR XFRM-PROTO " ]"
108.RB "[ " spi
109.IR SPI " ]"
110
111.ti -8
112.IR XFRM-PROTO " :="
113.BR esp " | " ah " | " comp " | " route2 " | " hao
114
115.ti -8
116.IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
117
118.ti -8
119.IR ALGO " :="
f3b9aa3d 120.RB "{ " enc " | " auth " } "
29665f92 121.IR ALGO-NAME " " ALGO-KEYMAT " |"
2a9721f1 122.br
2a9721f1 123.B auth-trunc
29665f92 124.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
f3b9aa3d
DW		 125.br
126.B aead
29665f92 127.IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
f3b9aa3d
DW		 128.br
129.B comp
130.IR ALGO-NAME
2a9721f1
SH		 131
132.ti -8
133.IR MODE " := "
29665f92 134.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
2a9721f1
SH		 135
136.ti -8
137.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
138
139.ti -8
140.IR FLAG " :="
141.BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
142
143.ti -8
144.IR SELECTOR " :="
145.RB "[ " src
146.IR ADDR "[/" PLEN "] ]"
147.RB "[ " dst
148.IR ADDR "[/" PLEN "] ]"
149.RB "[ " dev
150.IR DEV " ]"
151.br
152.RI "[ " UPSPEC " ]"
153
154.ti -8
155.IR UPSPEC " := "
156.BR proto " {"
157.IR PROTO " |"
158.br
159.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
160.IR PORT " ]"
161.RB "[ " dport
162.IR PORT " ] |"
163.br
164.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
165.IR NUMBER " ]"
166.RB "[ " code
167.IR NUMBER " ] |"
168.br
169.BR gre " [ " key
170.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
171
172.ti -8
173.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
174.B limit
175.I LIMIT
176
177.ti -8
178.IR LIMIT " :="
179.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
180.IR "SECONDS" " |"
181.br
182.RB "{ " byte-soft " | " byte-hard " }"
183.IR SIZE " |"
184.br
185.RB "{ " packet-soft " | " packet-hard " }"
186.I COUNT
187
188.ti -8
189.IR ENCAP " :="
190.RB "{ " espinudp " | " espinudp-nonike " }"
191.IR SPORT " " DPORT " " OADDR
192
193.ti -8
194.BR "ip xfrm policy" " { " add " | " update " }"
195.I SELECTOR
196.B dir
197.I DIR
198.RB "[ " ctx
199.IR CTX " ]"
200.RB "[ " mark
201.I MARK
202.RB "[ " mask
203.IR MASK " ] ]"
204.RB "[ " index
205.IR INDEX " ]"
206.RB "[ " ptype
207.IR PTYPE " ]"
208.RB "[ " action
209.IR ACTION " ]"
210.RB "[ " priority
211.IR PRIORITY " ]"
212.RB "[ " flag
213.IR FLAG-LIST " ]"
214.RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
215
216.ti -8
217.BR "ip xfrm policy" " { " delete " | " get " }"
218.RI "{ " SELECTOR " | "
219.B index
220.IR INDEX " }"
221.B dir
222.I DIR
223.RB "[ " ctx
224.IR CTX " ]"
225.RB "[ " mark
226.I MARK
227.RB "[ " mask
228.IR MASK " ] ]"
229.RB "[ " ptype
230.IR PTYPE " ]"
231
232.ti -8
233.BR "ip xfrm policy" " { " deleteall " | " list " }"
234.RI "[ " SELECTOR " ]"
235.RB "[ " dir
236.IR DIR " ]"
237.RB "[ " index
238.IR INDEX " ]"
239.RB "[ " ptype
240.IR PTYPE " ]"
241.RB "[ " action
242.IR ACTION " ]"
243.RB "[ " priority
244.IR PRIORITY " ]"
245
246.ti -8
247.B "ip xfrm policy flush"
248.RB "[ " ptype
249.IR PTYPE " ]"
250
251.ti -8
252.B "ip xfrm policy count"
253
254.ti -8
255.IR SELECTOR " :="
256.RB "[ " src
257.IR ADDR "[/" PLEN "] ]"
258.RB "[ " dst
259.IR ADDR "[/" PLEN "] ]"
260.RB "[ " dev
261.IR DEV " ]"
262.RI "[ " UPSPEC " ]"
263
264.ti -8
265.IR UPSPEC " := "
266.BR proto " {"
267.IR PROTO " |"
268.br
269.RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
270.IR PORT " ]"
271.RB "[ " dport
272.IR PORT " ] |"
273.br
274.RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
275.IR NUMBER " ]"
276.RB "[ " code
277.IR NUMBER " ] |"
278.br
279.BR gre " [ " key
280.RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
281
282.ti -8
283.IR DIR " := "
284.BR in " | " out " | " fwd
285
286.ti -8
287.IR PTYPE " := "
288.BR main " | " sub
289
290.ti -8
291.IR ACTION " := "
292.BR allow " | " block
293
294.ti -8
295.IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
296
297.ti -8
298.IR FLAG " :="
299.BR localok " | " icmp
300
301.ti -8
302.IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
303.B limit
304.I LIMIT
305
306.ti -8
307.IR LIMIT " :="
308.RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
309.IR "SECONDS" " |"
310.br
311.RB "{ " byte-soft " | " byte-hard " }"
312.IR SIZE " |"
313.br
314.RB "{ " packet-soft " | " packet-hard " }"
315.I COUNT
316
317.ti -8
318.IR TMPL-LIST " := [ " TMPL-LIST " ]"
319.B tmpl
320.I TMPL
321
322.ti -8
323.IR TMPL " := " ID
324.RB "[ " mode
325.IR MODE " ]"
326.RB "[ " reqid
327.IR REQID " ]"
328.RB "[ " level
329.IR LEVEL " ]"
330
331.ti -8
332.IR ID " :="
333.RB "[ " src
334.IR ADDR " ]"
335.RB "[ " dst
336.IR ADDR " ]"
337.RB "[ " proto
338.IR XFRM-PROTO " ]"
339.RB "[ " spi
340.IR SPI " ]"
341
342.ti -8
343.IR XFRM-PROTO " :="
344.BR esp " | " ah " | " comp " | " route2 " | " hao
345
346.ti -8
347.IR MODE " := "
29665f92 348.BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
2a9721f1
SH		 349
350.ti -8
351.IR LEVEL " :="
352.BR required " | " use
353
354.ti -8
355.BR "ip xfrm monitor" " [ " all " |"
356.IR LISTofXFRM-OBJECTS " ]"
357
358.in -8
359.ad b
360
361.SH DESCRIPTION
362
363xfrm is an IP framework for transforming packets (such as encrypting
364their payloads). This framework is used to implement the IPsec protocol
365suite (with the
366.B state
367object operating on the Security Association Database, and the
368.B policy
369object operating on the Security Policy Database). It is also used for
370the IP Payload Compression Protocol and features of Mobile IPv6.
371
372.SS ip xfrm state add - add new state into xfrm
373
374.SS ip xfrm state update - update existing state in xfrm
375
376.SS ip xfrm state allocspi - allocate an SPI value
377
378.SS ip xfrm state delete - delete existing state in xfrm
379
380.SS ip xfrm state get - get existing state in xfrm
381
382.SS ip xfrm state deleteall - delete all existing state in xfrm
383
384.SS ip xfrm state list - print out the list of existing state in xfrm
385
386.SS ip xfrm state flush - flush all state in xfrm
387
388.SS ip xfrm state count - count all existing state in xfrm
389
390.TP
391.IR ID
392is specified by a source address, destination address,
393.RI "transform protocol " XFRM-PROTO ","
394and/or Security Parameter Index
395.IR SPI "."
29665f92
DW		 396(For IP Payload Compression, the Compression Parameter Index or CPI is used for
397.IR SPI ".)"
2a9721f1
SH		 398
399.TP
400.I XFRM-PROTO
401specifies a transform protocol:
402.RB "IPsec Encapsulating Security Payload (" esp "),"
403.RB "IPsec Authentication Header (" ah "),"
404.RB "IP Payload Compression (" comp "),"
405.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
406.RB "Mobile IPv6 Home Address Option (" hao ")."
407
408.TP
409.I ALGO-LIST
29665f92
DW		 410contains one or more algorithms to use. Each algorithm
411.I ALGO
412is specified by:
413.RS
414.IP \[bu]
415the algorithm type:
2a9721f1 416.RB "encryption (" enc "),"
29665f92
DW		 417.RB "authentication (" auth " or " auth-trunc "),"
418.RB "authenticated encryption with associated data (" aead "), or"
419.RB "compression (" comp ")"
420.IP \[bu]
421the algorithm name
422.IR ALGO-NAME
423(see below)
424.IP \[bu]
425.RB "(for all except " comp ")"
426the keying material
427.IR ALGO-KEYMAT ","
428which may include both a key and a salt or nonce value; refer to the
429corresponding RFC
430.IP \[bu]
431.RB "(for " auth-trunc " only)"
432the truncation length
433.I ALGO-TRUNC-LEN
434in bits
435.IP \[bu]
436.RB "(for " aead " only)"
2a9721f1
SH		 437the Integrity Check Value length
438.I ALGO-ICV-LEN
29665f92
DW		 439in bits
440.RE
441
442.nh
443.RS
444Encryption algorithms include
445.BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
446.BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
447.BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
448
449Authentication algorithms include
450.BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
451.BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
452
453Authenticated encryption with associated data (AEAD) algorithms include
454.BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
455
456Compression algorithms include
457.BR deflate ", " lzs ", and " lzjh "."
458.RE
459.hy
2a9721f1
SH		 460
461.TP
462.I MODE
29665f92
DW		 463specifies a mode of operation for the transform protocol. IPsec and IP Payload
464Compression modes are
465.BR transport ", " tunnel ","
466and (for IPsec ESP only) Bound End-to-End Tunnel
467.RB "(" beet ")."
468Mobile IPv6 modes are route optimization
469.RB "(" ro ")"
470and inbound trigger
471.RB "(" in_trigger ")."
2a9721f1
SH		 472
473.TP
474.I FLAG-LIST
475contains one or more of the following optional flags:
476.BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
477.BR af-unspec ", or " align4 "."
478
479.TP
480.IR SELECTOR
481selects the traffic that will be controlled by the policy, based on the source
482address, the destination address, the network device, and/or
483.IR UPSPEC "."
484
485.TP
486.IR UPSPEC
487selects traffic by protocol. For the
488.BR tcp ", " udp ", " sctp ", or " dccp
489protocols, the source and destination port can optionally be specified.
490For the
491.BR icmp ", " ipv6-icmp ", or " mobility-header
492protocols, the type and code numbers can optionally be specified.
493For the
494.B gre
495protocol, the key can optionally be specified as a dotted-quad or number.
496Other protocols can be selected by name or number
497.IR PROTO "."
498
499.TP
500.I LIMIT-LIST
501sets limits in seconds, bytes, or numbers of packets.
502
503.TP
504.I ENCAP
505encapsulates packets with protocol
506.BR espinudp " or " espinudp-nonike ","
507.RI "using source port " SPORT ", destination port " DPORT
508.RI ", and original address " OADDR "."
509
510.SS ip xfrm policy add - add a new policy
511
512.SS ip xfrm policy update - update an existing policy
513
514.SS ip xfrm policy delete - delete an existing policy
515
516.SS ip xfrm policy get - get an existing policy
517
518.SS ip xfrm policy deleteall - delete all existing xfrm policies
519
520.SS ip xfrm policy list - print out the list of xfrm policies
521
522.SS ip xfrm policy flush - flush policies
523
524.SS ip xfrm policy count - count existing policies
525
526.TP
527.IR SELECTOR
528selects the traffic that will be controlled by the policy, based on the source
529address, the destination address, the network device, and/or
530.IR UPSPEC "."
531
532.TP
533.IR UPSPEC
534selects traffic by protocol. For the
535.BR tcp ", " udp ", " sctp ", or " dccp
536protocols, the source and destination port can optionally be specified.
537For the
538.BR icmp ", " ipv6-icmp ", or " mobility-header
539protocols, the type and code numbers can optionally be specified.
540For the
541.B gre
542protocol, the key can optionally be specified as a dotted-quad or number.
543Other protocols can be selected by name or number
544.IR PROTO "."
545
546.TP
547.I DIR
548selects the policy direction as
549.BR in ", " out ", or " fwd "."
550
551.TP
552.I CTX
553sets the security context.
554
555.TP
556.I PTYPE
557can be
558.BR main " (default) or " sub "."
559
560.TP
561.I ACTION
562can be
563.BR allow " (default) or " block "."
564
565.TP
566.I PRIORITY
567is a number that defaults to zero.
568
569.TP
570.I FLAG-LIST
571contains one or both of the following optional flags:
572.BR local " or " icmp "."
573
574.TP
575.I LIMIT-LIST
576sets limits in seconds, bytes, or numbers of packets.
577
578.TP
579.I TMPL-LIST
580is a template list specified using
581.IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
582
583.TP
584.IR ID
585is specified by a source address, destination address,
586.RI "transform protocol " XFRM-PROTO ","
587and/or Security Parameter Index
588.IR SPI "."
29665f92
DW		 589(For IP Payload Compression, the Compression Parameter Index or CPI is used for
590.IR SPI ".)"
2a9721f1
SH		 591
592.TP
593.I XFRM-PROTO
594specifies a transform protocol:
595.RB "IPsec Encapsulating Security Payload (" esp "),"
596.RB "IPsec Authentication Header (" ah "),"
597.RB "IP Payload Compression (" comp "),"
598.RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
599.RB "Mobile IPv6 Home Address Option (" hao ")."
600
601.TP
602.I MODE
29665f92
DW		 603specifies a mode of operation for the transform protocol. IPsec and IP Payload
604Compression modes are
605.BR transport ", " tunnel ","
606and (for IPsec ESP only) Bound End-to-End Tunnel
607.RB "(" beet ")."
608Mobile IPv6 modes are route optimization
609.RB "(" ro ")"
610and inbound trigger
611.RB "(" in_trigger ")."
2a9721f1
SH		 612
613.TP
614.I LEVEL
615can be
616.BR required " (default) or " use "."
617
618.SS ip xfrm monitor - state monitoring for xfrm objects
619The xfrm objects to monitor can be optionally specified.
620
621.SH AUTHOR
29665f92 622Manpage revised by David Ward <david.ward@ll.mit.edu>
Upstream mirror of iproute2